Domain 10 - Application Security Flashcards
1
Q
What opportunities does cloud present for application security?
A
- Higher baseline security - CSPs have economic incentives to maintain high security levels; as trust is core to their business model. Multiple security standards and baselines from different verticals enhances overall security
- Responsiveness - API based enables responsive security program -e.g. change firewall rules, or update servers
- Isolation - each cloud application can be deployed in its own virtual network (VPC) limiting attack surface, and enabling granular security controls
- Independent VMs - use of microservice on smaller VMs - smaller attack surface; granular security controls
- Elasticity - auto scaling means manual processes won’t work; encourages use of immutable servers; increased operational security; remote admin can be disabled
- DevOps - automation of application dev & deployment (e.g. CI/CD pipelines, IaC)
- Unified Interface - for infra and application services; not managed by different teams reducing failures.
2
Q
What are the challenges that Cloud presents to application security?
A
- Limited detailed visibility
- Increased application scope as dev and ops are integrated; both may need access to the management plane - e.g. Applications may need access to the management API such as creating or deleting an S3 bucket.
- Changing threat model - needs to factor in cloud provider responsibilities
- Reduced transparency (especially in PaaS where some services are provided by CSP - e.g. Message Queues)
3
Q
What are the key phases of any SSDLC?
A
There are may SSDLC models (MSFT, NIST, ISO), but nearly all of them can be grouped as below:
- Secure design and development - includes training, requirements, design, implementation, testing
- Secure deployment - moving from dev to test to stage to production
- Secure operations - continue operating securely - WAFs, Vulnerability assessment, change management, config management etc.
4
Q
In SSDLC, what are the stages in secure design and development phase?
A
- Training - secure coding practices, security tests, technical training (general and CSP specific). Dev, Sec and Ops team have to be trained
- Define: Security functional requirements; regulations and policy driven requirements
- Design - threat modeling, build in controls, leverage cloud capabilities (e.g. serverless).
- Develop - CI/CD, code review, SAST/DAST
- Test: SAST/DAST/IAST, Unit, Functional, Regression testing, staging; integration of testing into the CI/CD pipeline.
5
Q
In SSDLC, what are the stages in secure deployment phase?
A
- Automated security testing integrated into the CI/CD pipeline.
- Code review: often manual; integrated via Approval Gates in the CI/CD stage
- Testing: Unit, regression and functional tests
-SAST - examine APIs to see if there are embedded credentials - DAST - fuzzing, web vulnerabilities
- IaC makes immutable architectures possible
- IaC enhances security - operational environment can be more tightly locked down
- Security testing can be integrated into the CI/CD pipeline.
- Protecting the pipeline itself becomes important.
6
Q
How does cloud impact application design and architectures?
A
- Segregation by default - use of SDN to segregate workloads
- Immutable infrastructure
- Serverless (Lambda, API Gateways, PaaS)
- Microservices
- Event driven security
- Software-defined security
7
Q
What is DevOps?
A
- Closer integration of Development and Operations
- Use of automation for the deployment process through CI/CD
- Culture, Philosophy, Processes and Tools
8
Q
What are the benefits of DevOps?
A
- Standardization - CI/CD pipelines produce artifacts uniformly for Dev/Test/Prod
- Automated testing - integration of testing with CI/CD pipelines
- Immutable: pipelines produce master images for VMs, Containers, and Infra quickly for automated deployments
- Improved auditing and change management - who did what, when? Gates for change approval
- DevSecOps - integration of security within the Dev and Deployment process.